SPI-based data report filtering principle and implementation

xiaoxiao2021-03-06  51

Transfer from Jiakang

I. Personal firewall technology overview. WINSOCK 2 SPI introduction. III. Relevant program code analysis four. Summary and postmark 5. Appendix Source code 1) Personal firewall technology overview ???? With the increasing network security problem, the majority of users Network security products are getting worse. The firewall has been favored by everyone as a network security tool. Personal firewalls used on the PC have largely become the security guards of the majority of netizens. Personal firewall under Windows is based on intercepting technology for datagrams. Of course, they have a big difference in specific implementations. In general, it can be divided into two categories of user-level and kernel-level data reports. The kernel level is mainly the TDI filter driver, the NDIS intermediate layer filter driver, NDIS filter hook driver, etc., all of which utilizes network drivers; and user-level filtration includes SPI interface, Windows2000 packet filtering interface, etc. This article mainly tells the SPI-based package filtering, which is a new feature of Winsock 2. 2) WINSOCK 2 SPI introduction ???? Winsock 2 is an interface instead of an agreement, so it can be used to discover and use the communication capabilities provided by any number of underlying transport protocols. The initial Winsock is run around the TCP / IP protocol, but in Winsock 2 has added support for more transport protocols. Winsock 2 not only provides a Windows Socket Application Programming Interface (API) that supplies the network service, but also includes the WINSOCK service provider interface (SPI) and WS2_32 implemented by the transfer service provider and the name resolution service provider. DLL. This article only discusses the transfer service provider and its applications, and is not analyzed for the name resolution service provider. ???? Winsock 2's transmission service provider exists in the form of dynamic link library (DLL), which provides an interface with the Wspstartup function for the upper function, while other transport service provider functions are through the assignment table. To access WS2_32.dll. The dynamic link library of the Transport Service Provider is only loaded in memory when the application needs, and it will be automatically uninstalled without need. The following is the WOSA (Windows open service structure) on the transport service provider: ------------------------------------------------------------------------------------------------------------------ | Windows Socket 2 Application | --------------------------- Windows Socket 2 API | ?????? WS2_32.dll ???? ???? | --------------------------- Windows Socket 2 Transport SPI | ?? Transport Service Provider (DLL) ?? | ?? -------------------------- ????? Windows Socket SPI uses the following function prefix named in the service provider Way: WSP (Windows Socket Service Provider), WPU (Windows Socket Provider, WSC (Windows Socket Configuration). Every transport service provider has its own transfer protocol, which is implemented using the WSAPROTCOL_INFOW structure. The transmission service provider stores all the relevant information in this structure, and the application is associated with the contents of this structure to associate ourselves. ???? Windows Socket SPI provides three protocols: hierarchical protocols, basic protocols, and protocol chains. The hierarchical protocol is the upper layer of the underlying protocol, relying on the underlying basic protocol to achieve more advanced communication services. Basic protocols are protocols that can implement data communication independent, secure, and remote endpoints, which are relative to the layered protocol.

The protocol chain is a chain structure that connects a range of basic protocols and hierarchical protocols in the order of characteristics, see the following: API ------------------- ----- ?? | ?????? WS2_32.dll ???? | SPI ------------------------ ?? | Hierarchical protocol | SPI ------------- ?? | Layered protocol | SPI -------------------------------------------------------------------------------------------------------------------------------------------------------------------- ?? | ?????? Basic agreement ?????? | ?? ------------------------ ???? WS2_32. The main function of the DLL data transfer section is to provide traffic management between service providers and applications. Each application is rigorous by WS2_32.dll and a corresponding service provider. WS2_32.dll Select a specific service provider based on the parameters provided when the application is created, and then forward the application's implementation process to the service provider of the selected creation socket. That is, WS2_32.dll is just an intermediate process, and the application is just an interface, and the implementation of data communication is done with service providers. We have said that WS2_32.dll is to determine which service provider used by creating the parameters of the API function wsasocket or socket. The parameters of WSASOCKET / Socket include address family, socket type, and protocol types, which jointly determines the service provider of creating sockets. WS2_32.dll looks for the WSAPROTOCOL_INFOW structure that matches the first three factors in the service provider, then calls the WSPStartup function corresponding to this Wsaprotocol_infow structure, (all data transfer service providers in the form of DLL, their external interface Only Wspstartup, the other service provider functions are called by Wspstartup), which in turn calls the function of Wspsocket to create a socket, WspConnect's function to establish a connection, and more. In addition to traffic management functions, WS2_32.dll also provides other services, such as protocol enumeration, thread-based blocking hook management and version negotiation between WS2_32.DLL and service providers. ???? Transport service provider implemented features include functions such as connecting, transferring data, implement stream control, and error control. In fact, WS2_32.dll does not know how the service provider's request is implemented, and WS2_32.DLL implements the medium between the application and service providers. The transmission service provider can be divided into two categories: socket descriptors are the provider of installable file system (IFS) handle; the remaining non-IFS providers. A non-IFS provider is selected in our program. It can be seen that the service provider realizes the underlying and network-related protocols. WS2_32.dll provides media level traffic management, which provides information about how to implement network-related operations, which implements the user's desired function. ???? In the implementation of the transmission service provider, the installation order is very important. We must not only properly install the service provider, but also must register in the Windows Socket, saved the relevant system information in the database, so that WS2_32.dll can easily obtain the relevant information about the next service provider. A function WSCINSTALLPROVIDER for installing a service provider is provided in WS2_32.dll, which requires the service provider's related data, such as the name and path of the DLL. At the same time, WS2_32.DLL also provides a function of uninstall service providers WSCDEINSTALLPROVIDER, which is deleted from the system from the system when not needed. Why is it important to use the transmission service? WSCENUMPROTOCOLS in the service provider configuration function is used to enumerate all installed service providers in the system, which lists them according to the service provider's installation order.

In front, we also mentioned that WS2_32.dll is in the service provider to search for the service provider that matches the three parameters provided by the WSASocket / Socket in the service provider, so the installation order is determined whether the service provider is determined to a certain extent. The key to correctly call. Windows Socket 2 also provides a dynamic link library sporder.dll that provides rearrangement for all service provider sequences installed (this DLL system is not brought, and there is already available in the CommON directory). T-sporder.exe in the appendix is ​​a tool that queries the currently installed all data transfer service provider properties. The service provider system distinguishes the basic protocol, the hierarchical protocol, and the protocol chain are achieved by the chainlen value of the Protocolchain structure in WSAPROTOCOL_INFOW. The CHAINLEN value of the layered protocol is 0, the value of the base protocol is 1, and the value of the protocol chain is greater than 1. The hierarchical protocol and the base agreement are almost the same in the implementation of the data transfer service provider, and their differences are installed. In Windows, existing system service providers (self-contained) have almost all basic services, so the service provider program we have written can make the data report to properly "modify" after calling system service provider. To complete the most remaining functions, whether the basic service provider or hierarchical service providers can use this technology to eliminate unnecessary labor. The implementation process of the basic service provider is mainly to replace the installation path of the current system service provider to the installation path of your own service provider. Of course, we must save the relevant data of the system server, and uninstall your own service provider. This information is used when restoring the system service provider, such as the name and path of the system server DLL. The protocol chain is different. First we must install all the basic protocols and layered protocols, then construct the WSAPROTOCOL_INFOW structural chain of the protocol chain, each protocol constituting the protocol chain is defined in the protocolchain.chainentries array of protocol chains. The first protocol in the array of protocols should be the first hierarchy service provider. Of course, we do not change the system service provider when installing the hierarchical protocol and protocol chain, just changing the installation order of the system service provider. Here, we take the data transmission service provider's installation process with a hierarchical service provider as an example. ???? WS2_32.dll is the use of standard dynamic link libraries to load the service provider interface DLL to the system, and call Wspstartup to initialize. Wspstartup is the initialization function of the Windows Socket 2 application calls the SPI program, that is, the entrance function. Wspstartup parameter LPWSAPROTOCOL_INFOW Pointer Provides the protocol information expected by the application, and then through this structural pointer we can get the Save system service provider's DLL name and path, load the system service provider, find the Wspstartup function of the system SPI program. The pointer, we can associate the Wspstartup functions of your own service provider and the Wspstartup function of the system SPI program, and then call the system of each service provider function. In the implementation of the data transfer service provider, we need two programs, one is the executable to install the transport service provider; the other is the DLL form of data transfer service provider. Below we briefly analyze the main functions used by the installer (INSTIF.exe) and the IPFilter.dll. 3) The relevant program code analysis ???? 1.Instif.exe ???? The main function of the executable instif.exe is to install our own hierarchical transport service provider and rearrange the order of all transport service providers. Make our service providers at the top of the protocol chain, so that the corresponding type of application will first enter our transport service provider interface. This program has only one parameter, which is installation (-Install) or uninstall.

As a demonstration, this program only has IP hierarchical protocols and protocol chains associated with UDP. (In ipfilter.dll, we only filter the UDP datagram for the target port 8000) ???? Custom function: ???? BOOL ?? getfilter (); ???? // Get all installed transmission Service provider ???? void ?? freefilter (); ???? // Release storage space ???? void ?? installfilter (); // Install hierarchical protocol, protocol chain and sorting ???? void ?? removefilter (); ?? // Uninstall hierarchical protocol and protocol chain ???? code analysis: ???? protoinfo = (lpwsaprotocol_infow) Globalalloc (gptr, protoinfosize); ???? // Assign Wsaprotocol_infow structure Storage space ???? TotalProtos = WSCENUMPROTOCOLS (NULL, Protoinfo, & ProtoinFoSize, & errorcode); ???? // Get all service providers installed in the system ???? getCurrentDirectory (max_path, filter_path);???? ?? // Get the current path ???? _ tcscpy ("// ipfilter.dll")); ?????? // Construct Service Provider file ipfilter.dll's path full name?? ?? WSCINSTALLPROVIDER (& FilterGuid, Filter_Path, & iPlayerInfo, 1, & ErrorCode); ???? // Install custom IP hierarchical protocol ???? iPlayerCataid = protoinfo [i] .dwcatalogenTryID; ???? // obtained Installing a custom IP hierarchical protocol allocated by WS2_32.dll ???? udpchaininfo.protocolchain.chainenincenfo.protocolchain.chainenincen [0] = iPlayerCataID; ???? // Use custom IP hierarchical protocols as custom UDP protocols The root layer service provider of the chain is installed on the top of the protocol chain ???? WSCINSTALLPROVIDER (& FilterchaingUID, Filter_Path, ChainArray, ProVcnt, & ErrorCode); ???? // Installation protocol chain ???? WSCWRITEPROVIDERORDER (CataEntries, Totalprotos) ; ???? // The new service provider's installation sequence, put the custom service provider in the forefront of all protocols ???? wscdeinstallProvider (& filterGuid, & errorcode); ???? // Uninstall IP hierarchical protocol ???? WscdeinstallProvider (& Filterchainguid, & ErrorCode); ???? // Uninstall protocol chain ???? 2.ipfilter.dll ???? Transport service provider exists in the form of dynamic link library, when the application needs, by WS2_32 .dll loading, is uninstalled after running. The IPFilter.dll of this article provides functions for filtering the transmitted UDP datagram. That is, the custom Wspsendto function is filtered before the system service provider is called, and it is determined whether to continue calling down, while other functions are directly calling the underlying system service provider being processed by them. The transmission service provider has only one entry function is WspStartup, which is the initialization function of the Windows Socket application call SPI, and the calls of other SPI functions are implemented by the parameter WspCallTable of Wspstartup.

???? custom function: ???? int ?? WSPAPI WSPSendTo (SOCKET s, LPWSABUF lpbuffer, DWORD dwbuffercount, LPDWORD lpnumberofbytessent, ?????? DWORD dwflags, const struct sockaddr FAR * lpto, int itolen, LPWSAOVERLAPPED lpoverlapped, ?????? LPWSAOVERLAPPED_COMPLETION_ROUTINE ?? lpcompletionroutine, LPWSATHREADID lpthreadid, LPINT lperrno); ???? // SPI function WSPSendTo and Windows Socket API function WSASendTo 2 corresponds ???? int ?? WSPAPI WSPStartup (? ??? WORD wversionrequested, lPWSPDATA lpwspdata, LPWSAPROTOCOL_INFOW lpprotoinfo, ???????? WSPUPCALLTABLE upcalltable, LPWSPPROC_TABLE lpproctable); ???? // SPI function WSPStartup Windows Socket API functions and corresponding WSAStartup 2, only WSPStartup The entrance function, the remaining 30 SPI functions are implemented by parameter upcalltable, they can only be called internally, not exported to the entrance ???????? code analysis: ???? getModuleFileName (null , processname, max_path; ???? // Get the full name of the executable of the calling this service provider dynamic link library ???? outputdebugstring (_t ("wspsendto tencent filter"); ???? // Output debugging information ???? NextProctable.lpwspsendto (S, LPBUFFER, DWBUFFERCOUNT, LPNUMBEROFBYTESSENT, DWFLAGS, LPTO, ???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? ??? Itolen, LPoverlapped, lpCompletionRoutine, LPTHREADID, LPERRNO; ???? / / If the data is met to send the sending condition, call the underlying system service provider to send data ???? Layerid = protoinfo [i] .dwcatalogEntryID; ???? // Get the installed custom IP hierarchical protocol by WS2_32.dll The unique sign allocated ???? NextLayerid = LPPROTOINFO-> Protocolchain.ChainenTries [i 1]; ???? // Get the marking information of the next layer transfer service provider ???? WscgetProviderPath (& Protoinfo [i]. ProviderID, FilterPath, & FilterPathlen, & ErrorCode; ???? // Get the installation path of the next layer of transmission service provider ???? ExpandenvironmentStrings (FilterPath, FilterPath, Max_Path); ???? // Extended environment variable ?? HFILTER = loadLibrary (filterpath)); ???? // Load the next layer of transmission service provider ???? wspstartupfunc = (LPWSPSTARTUP) GetProcAddress (Hfilter, "Wspstartup");

???? // Get the entrance function Wspstartup of the next layer transfer service provider to call ???? WspstartupFunc (WversionRequested, LPWSPDATA, LPPROTOINFO, UPCALLTABLE, LPPROCTABLE); ???? // Call the next layer of transmission service Provider's Wspstartup function, hook function ???? nextProctable = * LPPROCTABLE; ???? // Save 30 service function pointers of the next layer of service provider ???? lpprocTable-> lpwspsendto = wspsendto; ?? ?? // Call custom function Wspsendto ???? Since the service provider in the dynamic link library provides an inlet function, there is also a configuration file ipfilter.def: ???? exports ???? Wspstartup ???? // Provide an inlet function Wspstartup ?? ???? 3.t-sporder.exe ???? T-sporder.exe is an auxiliary tool to see all installed in the current system. The properties of the transport service provider. ???? TotalProtocols = WSCENUMPROTOCOLS (NULL, Protoinfo, & ProtoinFidence, & ErrorCode); ???? // Get all transmission service providers in the system, then output their properties according to parameters. IV) Summary and Postscript ???? This article introduces a new feature of Windows Socket 2, which is the service provider interface SPI (Service Provider Interface). It not only includes our primary explanatory transmission service provider interface, but also includes the namespace service provider interface. Of course, SPI-based package filtering security measures are not particularly good, because there are many data transfer built on TDIs that are not affected by the SPI, so most popular firewalls are mostly based on NDIS. ???? Transport service provider is in the system in the form of a DLL, and when the IP protocol is run, if the parameter matches, we load our transport service provider program. And there are many system network services under Windows, which are automatically loaded at the system startup, which provides favorable conditions for our hidden Trojans. That is to say in the transport service provider program, many IP-based network system programs are running when booting so that our embedded Trojan will be automatically loaded when the system is started, and will not uninstall when the system is closed. Its feature is to load our transfer service provider (including Trojans) as long as the system is installed once, and does not have to perform the installer every time the system is started like a remote injection thread, and it can be more A system network program is loaded. ???? Compiled executable (filter QQ datagram), you can download it in our website (FZ5FZ.YEAH.NET). 5) The source program of the appendix ???? 1.instif.exe # define ?? unicode ???? #define ?? _ unicode ???????? # include # includelude

#include

#include

#include

??????????????????????????

GUID ?? Filterguid = {0x4d1e91fd, 0x116a, 0x44aa, {0x8F, 0xD4, 0X1D, 0x2C, 0xF2, 0x7B, 0XD9, 0XA9}}

GUID ?? Filterchainguid = {0xD3C21121, 0X85E1, 0X48F3, {0x9a, 0x0c, 0x73,0 x07,0 xef}}

Bool ?? getfilter ();

Void ?? freefilter ();

Void ?? installfilter ();

Void ?? removefilter ();

Void ?? START (); void ?? usage ();

INT ?????????????????? TotalProtos = 0;

DWORD ???????????????? protoinfosize = 0;

LPWSAPROTOCOL_INFOW ?? protoinfo = null;

INT Main (int Argc, char * argv []) ??????????

{

???? start ();

???? f (argc == 2)

???? {

???????? IF (strCMP (Argv [1], "- install") == 0) ??

???????? {

???????????? INSTALLTER ();

???????????? return 0;

????????}

???????? Else if (strcmp (Argv [1], "- Remove") == 0) ??

???????? {

???????????? removefilter ();

???????????? return 0;

????????}

????}

???? usage ();

???? Return 0;

}

Bool getfilter ()

{

???? int ?? erroorcode;

???? protoinfo = null;

???? TotalProtos = 0;

???? protoinfosize = 0;

???? IF (WscenumProtocols (Null, Protoinfo, & ProtoinFoSize, & ErrorCode) == Socket_ERROR)

???? {

???????? if (ErrorCode! = WSAENOBUFS)

???????? {

????????????? _ TPrintf (_T ("first wscenumprotocols error:% d / n"), errorcode);

???????????? Return False;

????????}

????}

???? IF ((Protoinfo = (LPWSAPROTOCOL_INFOW) GlobalAlloc (GPTR, ProtoinFoSize) == NULL)

???? {

???????? _ tprintf (_T ("GlobalAlloc in getfilter error:% d / n"), getLastError ());

???????? Return False;

????}

???? IF ((Totalprotos = WSCENUMPROTOCOLS (Null, Protoinfo, & ProtoinFoSize, & Error)) == Socket_ERROR)

???? {

???????? _ tprintf (_T ("SECOND WSCENUMPROTOCOLS ERROR:% D / N"), getLastError ());

???????? Return False;

????}

???? _ tprintf (_T ("Found% D protocols! / n"), Totalprotos;

???? Return True;

}

Void FreeFilter ()

{

??????? Globalfree (Protoinfo);

}

Void installfilter ()

{

???? int ???????????????? I;

???? INT ???????????????? pROVCNT;

???? int ???????????????? Cataindex;

???? int ???????????????? ErrorCode;

???? BOOL ?????????????? Rawip = false

???? BOOL ?????????????? udpip = false

???? dword ??????????????? iplayercataid = 0, udporigcataid = 0;

???? tchar ?????????????? filter_path [max_path]; ????????????

???? tchar ?????????????? filter_name [max_path];

???? tchar ?????????????? chainname [WSAPROTOCOL_LEN 1]; ??????

????? lpdword ???????????? CataNTries

???? wsaprotocol_infow ?? iPlayerInfo, UdpchainInfo, ChainArray [1];

???? getfilter ();

????

???? for (i = 0; i

???? {

???????? ing (! rawip)

???????? && protoinfo [i] .iaddressFamily == AF_INET

???????? && protoinfo [i] .iprotocol == ipproto_ip)

???????? {

???????????? rawip = true;

???????????? Memcpy (& iPlayerInfo, & Protoinfo [i], sizeof (wsaprotocol_infow);

???????????? iPlayerInfo.dwserviceflags1 = protoinfo [i] .dwserviceflags1 & (~ xp1_ifs_handles);

????????}

???????? ing (! udpip

???????? && protoinfo [i] .iaddressFamily == AF_INET

???????? && protoinfo [i] .IPROTOCOL == ipproto_udp)

???????? {

???????????? udpip = true;

???????????? udporigcataid = protoinfo [i] .dwcatalogenTryId;

???????????? Memcpy (& UDPChainInfo, & Protoinfo [i], sizeof (wsaprotocol_infow);

???????????? udpchainifo.dwserviceflags1 = protoinfo [i] .dwserviceflags1 & (~ xp1_ifs_handles);

????????}

????}

???? _ tcscpy (iPlayerInfo.szprotocol, _t ("t-ipfilter");

???? iPlayerInfo.protocolchain.Chainlen = Layered_Protocol;

????

???? i (getcurrentdirectory (max_path, filter_path) == 0)

???? {

???????? _ TPrintf (_T ("getcurrentdirectory error:% d / n"), getLastError ());

???????? Return;

????}

???? _ tcscpy (filter_name, _t ("// ipfilter.dll"));??

???? _ tcscat (filter_path, filter_name);

???? IF (WSCINSTALLPROVIDER (& Filterguid, Filter_Path, & iPlayerInfo, 1, & ErrorCode) == Socket_ERROR) ???? {

???????? _ tprintf (_T ("WSCINSTALLPROVIDER ERROR:% D / N"), ErrorCode);

???????? Return;

????}

???? freefilter ();

???? getfilter ();

???? for (i = 0; i

???? {

???????? IF (Memcmp (& Protoinfo [i] .ProviderID, & Filterguid, Sizeof (GUID)) == 0)

???????? {

???????????? iplayercataid = protoinfo [i] .dwcatalogenTryId;

???????????? breaf;

????????}

????}

???? provcNT = 0;

???? if (udpip)

???? {

???????? _ tcscpy (chainname, _t ("t-udpfilter");

???????? _ tcscpy (udpchaininfo.szprotocol, chainname);

???????? IF (udpchaininfo.protocolchain.chainlen == base_protocol)

???????? {

???????????? udpchaininfo.protocolchain.chainentries [1] = udporigcataid;

????????}

???????? ELSE

???????? {

???????????? for (i = udpchainifo.protocolchain.chainlen; i> 0; I -)

???????????? {

???????????????? udpchaininfo.Protocolchain.ChainenTries [i 1] = udpchaininfo.protocolchain.chainenince [i];

????????????}

????????}

???????? udpchaininfo.protocolchain.Chainlen ;

???????? udpchaininfo.protocolchain.chainentries [0] = iPlayerCataID;

???????? Memcpy (& ChainArray [ProVCNT ], & UdpchainInfo, Sizeof (Wsaprotocol_infow);

????}

???? IF (WSCINSTALLPROVIDER (FilterchaingUID, Filter_Path, ChainArray, Provcnt, & ErrorCode) == Socket_ERROR)

???? {

???????? _ TPrintf (_T ("WSCINSTALLPROVIDER for Chain Error:% D / N"), ErrorCode);

???????? Return;

????}

???? freefilter ();

???? getfilter ();

???? IF ((CataNtries = (LPDWORD) Globalalloc (GPTR, TOTALPROTOS * SIZEOF (Wsaprotocol_infow)) == NULL)

???? {

???????? _ tprintf (_T ("GlobalAlloc Int Installfilter Error:% D / N"), ERRORCODE); ???????? Return

????}

???? cataindex = 0;

???? for (i = 0; i

???? {

???????? IF (Memcmp (& Protoinfo [I] .ProviderID, & Filterguid, Sizeof (GUID)) == 0 || Memcmp (& Protoinfo [i] .ProviderID, & FilterchaingUID, SIZEOF (GUID) == 0 )

???????? {

???????????? CataNTries [cataIndex ] = protoinfo [i] .dwcatalogenTryId;

????????}

????}

???? for (i = 0; i

???? {

???????? IF (Memcmp (& Protoinfo [I] .ProviderID, & Filterguid, Sizeof (GUID))! = 0 && Memcmp (& Protoinfo [i] .ProviderID, & FilterchaingUID, Sizeof (GUID))! = 0)

???????? {

???????????? CataNTries [cataIndex ] = protoinfo [i] .dwcatalogenTryId;

????????}

????}

???? ing ((ErrorCode == WSCWRITEPROVIDERORDER (CataEntries, Totalprotos)! = Error_Success)

???? {

???????? _ TPrintf (_T ("WSCWRITEPROVIDERORDER ERROR:% D / N"), getLastError ());

???????? Return;

????}

???? freefilter ();

???? _ tprintf (_t ("/ ninstall ip filter successful");

???? Return;

}

Void Removefilter ()

{

???? int ?? erroorcode;

???? bool signal = true;

???? IF (WscdeInstallProvider (& Filterguid, & ErrorCode) == Socket_ERROR)

???? {

???????? _ tprintf (_T ("WSCDeinstall Filterguid Error:% D / N"), ERRORCODE);

???????? signal = false;

????}

???? if (WscdeInstallProvider (& FilterchaingUid, & ErrorCode) == Socket_ERROR)

???? {

???????? _ tprintf (_T ("WSCDeinstall Filterchainguid Error:% D / N"), ErrorCode);

???????? signal = false;

????}

???? if (Signal)

???? {

???????? _ tprintf (_T ("deinstall ip filter successful")));

????}

???? Return;

}

Void ?? start ()

{

???? _ tprintf (_t ("install ip filter, by TOO2Y / N"));

???? _ tprintf (_t ("e-mail: too2y@safechina.net/n"))); ???? _ tprintf (_t ("homepage: fz5fz.yeah.net/n"));

???? _ tprintf (_t ("DATE: 10-29-2002 / N / N"))))))

???? Return;

}

Void ?? usage ()

{

???? _ tprintf (_t ("usage: ?? instif ?? [-install | -remove] / n")))

???? Return;

}

???? 2.ipfilter.dll

#define ?? Unicode

#define ?? _ unicode

#include

#include

GUID ?? Filterguid = {0x4d1e91fd, 0x116a, 0x44aa, {0x8F, 0xD4, 0X1D, 0x2C, 0xF2, 0x7B, 0XD9, 0XA9}}

LPWSAPROTOCOL_INFOW ?? protoinfo = null;

WSPPROC_TABLE ???????? nextproctable;

DWORD ???????????????? protoinfosize = 0;

INT ?????????????????? TotalProtos = 0;

Bool getfilter ()

{

???? int ???? ERRORCODE;

???? protoinfo = null;

???? protoinfosize = 0;

???? TotalProtos = 0;

???? IF (WscenumProtocols (Null, Protoinfo, & ProtoinFoSize, & ErrorCode) == Socket_ERROR)

???? {

???????? if (ErrorCode! = WSAENOBUFS)

???????? {

???????????? Outputdebugstring (_t ("first wscenumprotocols error!"));

???????????? Return False;

????????}

????}

???? IF ((Protoinfo = (LPWSAPROTOCOL_INFOW) GlobalAlloc (GPTR, ProtoinFoSize) == NULL)

???? {

???????? Outputdebugstring (_t ("globalalloc error!")); ?????????????????

???????? Return False;

????}

???? IF ((Totalprotos = WSCENUMPROTOCOLS (Null, Protoinfo, & ProtoinFoSize, & Error)) == Socket_ERROR)

???? {

???????? Outputdebugstring (_t ("SECOND WSCENUMPROTOCOLS ERROR!"));??

???????? Return False;

????}

???? Return True;

}

Void FreeFilter ()

{

??????? Globalfree (Protoinfo);

}

Bool WinApi Dllmain (Hinstance Hmodule,

???????? DWORD ???? REASON,

???????? lpvoid ???? lpreserved)

{

???? tchar ?? processname [max_path];

???? tchar ?? ShowMessage [MAX_PATH 25];

???? if (Reason == DLL_PROCESS_ATTACH) ???? {

????????????? GetModuleFileName (null, processname, max_path);

???????? _ tcscpy (showmessage, processname);

?????????????????????? _ TCSCAT (ShowMessage, _T ("Loading Ipfilter ..."))

???????????????? OutputDebugstring (showMessage);??

????}

???? Return True;

}

Int Wspapi Wspsendto (Socket ?????????? s,

?????????? LPWSABUF ???????? lpbuffer,

?????????? DWORD ???????????? dwbuffercount,

?????????? LPDWORD ?????????? lpnumberofbytessent,

?????????? dWord ???????????? dwflags,

?????????? const struct ???? SockAddr far * lpto,

?????????? int ?????????????? ITolen,

?????????? lpwsaoverlapped ?? lpoverlapped,

?????????? lpwsaoverlapped_completion_routine ?? lpcompletionRoutine,

?????????? lpwsathreadid ???? lpthreadID,

?????????? LPINT ???????????? lPerRNO)

{

???? Struct SockAddr_in sin;

???? sin = * (const structure sockaddr_in *) LPTO;

???? if (sin.sin_port == HTONS (8000)) ????????

???? {

???????????????? Outputdebugstring (_T ("Wspsendto Tencent Filtered)));

???????? Return 0;

????}

???? Else

???? {

???????? Return nextProctable.lpwspsendto (S, LPBUFFER, DWBuffercount, lpnumberofbytessent, dwflags, lpto, itolen, lpoverlapped, lpcompletionroutine, lpthreadid, lPerRNO);

????}

}

INT Wspapi Wspstartup

???? words ???????????? wrentRequested,

???? LPWSPDATA ???????????????? LPWSPDATA,

???? LPWSAPROTOCOL_INFOW ???? LPPROTOINFO,

???? WspupCallTable ???????? UpCallTable,

???? LPWSPPROC_TABLE ???????? LPPROCTABLE

)

{

???? Outputdebugstring (_t ("ipfilter wspstartup ...));

???? int ?????????? I;

???? int ?????????? ERRORCODE;

???????? INT ?????????? filterpathlen

???? dword ???????? layerid = 0;

???????? DWORD ???????? nextlayerid = 0;

???????? tchar ???????? * filterpath;

???? hinstance ???? Hfilter;

???? LPWSPSTARTUP ?? wspstartupfunc = NULL;

???? if (lpprotoinfo-> protocolchain.chainlen <= 1)

???? {

?????????????? outputdebugstring (_t ("chainlen <= 1"));??

???????? Return False;

????}

????

???? getfilter ();

???? for (i = 0; i

???? {

???????? IF (Memcmp (& Protoinfo [i] .ProviderID, & Filterguid, Sizeof (GUID)) == 0)

???????? {

???????????? layerid = protoinfo [i] .dwcatalogenTryId;

???????????? breaf;

????????}

????}

???? for (i = 0; i

Protocolchain.Chainlen; i )

???? {

???????? f (lpprotoinfo-> protocolchain.chainentries [i] == layerid)

???????? {

???????????? nextlayerid = lpprotoinfo-> protocolchain.chainentries [i 1];

???????????? breaf;

????????}

????}

???? filterpathlen = max_path;

???? filterpath = (tchar *) GlobalAlloc (GPTR, FilterPathlen);??

???? for (i = 0; i

???? {

???????? f (NextLayerid == Protoinfo [i] .dwcatalogentryid)

???????? {

???????????? IF (WscgetProviderPath (& Protoinfo [i] .ProviderID, FilterPath, & Filterpathlen, & ErrorCode) == Socket_ERROR)

???????????? {

??????????????????????????????? outputdebugstring (_T ("WscgetProviderPath Error!))) ??

???????????????? Return WSaEproviderfailedinit;

????????????}

???????????? breaf;

????????}

????}

???? ing (! EXPANDENVIRONMENTSTRINGS (FilterPath, FilterPath, Max_Path))

???? {

???? ???? Outputdebugstring (_t ("expandenvironmentstrings error!"))); ????

???????? Return WSaEProviderfailedinit;

????}

???? ing ((hfilter = loadLibrary (filterpath)) == null)

???? {

???????? outputdebugstring (_t ("loadlibrary error!");

???????? Return WSaEProviderfailedinit;

????}

???? IF ((Wspstartupfunc = (LPWSPStartup) getProcaddress (Hfilter, "Wspstartup") == null) ???? {

???????? Outputdebugstring (_t ("getProcessAddress Error!")))

???????? Return WSaEProviderfailedinit;

????}

???? IF ((ErrorCode = WspstartupFunc (WversionRequested, LPWSPDATA, LPPROTOINFO, UPCALLTABLE, LPPROCTABLE))! = Error_Success)

???? {

???????? outputdebugstring (_t ("wspstartupfunc error!"));??

???????? Return ErrorCode;

????}

???? nextproctable = * lpproctable;

???? LPPROCTABLE-> LPWSPSENDTO = Wspsendto;

???? freefilter ();

???? Return 0;

}

转载请注明原文地址:https://www.9cbs.com/read-118128.html

New Post(0)